Information published on 26 June 2018 in the UIC electronic newsletter "UIC eNews"
Nr 605.

Successful 4th UIC Security Week held from 18 – 21 June 2018 in Paris

Security

Awareness

CYRail

Rail System

Reporting

A vision for the future and preparation for the future by focusing on new threats that have emerged. After all, when it comes to security, it’s not just about preventing known incidents or attacks that have already been carried out from re-occurring; it’s also about being constantly proactive and thinking about what might happen, and how to prevent or manage it

With this statement UIC General Director Jean-Pierre Loubinoux opened the fourth UIC Security week.

He also took the opportunity to congratulate Prof Gerd Neubeck from DB AG for his important involvement as chairman of the security platform over the last two years. The platform will now be chaired by Marc Beaulieu from VIA Rail Canada and vice chaired by Piotr Kurcz from PKP SA.

Over the four days, 84 participants from 23 countries shared information and discussed inter alia issues on CBRNE (Chemical, Biological, Radiological, Nuclear and Explosive) threats, cybersecurity, staff and public awareness, Business Continuity Management (BCM), and the upcoming Security Hub. Enclosed you will find the main results of each topic.

Seminar on CBRNE terrorism – 18 June 2018:

On Monday 18 June, UIC organised the Seminar on CBRNE terrorism which dealt with chemical, biological, radiological, nuclear and explosive threats. This was the fourth thematic seminar on terrorism following the topics addressed in previous years: Human Factors (2015), Crisis Management (2016), and Radicalisation (2017).
This was the first time that UIC publicly addressed the CBRNE security issue. The decision to address this topic was in line not only with the growing interest of some UIC members to prepare against CBRNE attacks on railway property, but also with the recent failed attempts of such attacks in Europe and with the European Union Action plan on CBRNE preparedness.

Six presentations gave the state-of-the-art on this issue and facilitated exchanges of information between UIC members, railway security experts, practitioners, researchers and members of academia.

The first three presentations were more institutional, focusing on current research actions in Europe and beyond. Dr Spyros Karakitsios (Aristotle University of Thessaloniki, Greece) presented the activities of the JRC ERNCIP Thematic Group on Detection of Indoor Airborne Chemical-Biological Agents and gave some insight on using sensor technologies to detect chemical or biological attacks in railways. Mr Denis Luyten (UITP, Belgium) shared the results of a survey on the CBRNE threat among the members of UITP and highlighted some of the challenges for the public transport sector, especially for metro operators. Dr Brigita Kairiene (National Public Health Centre, Lithuania) presented the EU Healthy GateWays Joint Action and the planned activities for ground crossings, including rail border points. The UIC Security Division is part of the Advisory Board of this action and will support the working groups.

The last three presentations focused on the results and recommendations from past research projects, providing scientifically validated inputs, tested solutions, and specific examples of preventive solutions which can be used in the railway environment to prevent or respond to CBRNE attacks. Prof José Luis Perez-Diaz (University of Alcalá, Spain) presented Counterfog – a device for large scale counteraction of chemical or biological contamination. This low-cost device is applicable in the railway sector both in closed spaces such as stations or tunnels, but also in open spaces. Mr Walter Schmitz (Universität der Bundeswehr München Consultant, Germany) shared insights gained into the French-German project RE(H)STRAIN and discussed two types of sensor technologies to detect CBRN agents. Last but not the least, Mr. Stéphane Couturier (SNEF Group, France) and Mr Bernard Leibovici (SDS Group) presented a prototype device that can be used as a preventative answer to the nuclear and radioactive threat and that could be tested very soon by railway operators if they wish.

Overall, the participants agreed that the seminar helped them share knowledge and best practice, but also to stimulate collaborative work, to foster a more robust research and preparedness for the CBRNE threat in the railway sector.
One central question in the discussion was whether preparing for a CBRNE attack scenario should be a railway stakeholder problem or a state problem. The present UIC members mentioned that they would like to implement security measures that could tackle several threats simultaneously and that a certain overlap between safety and security would be beneficial. This request reflects the UIC integrative railway protection approach which includes preparedness against all risks and threats, including events with lower probability but high impact.

Another main point was that railway stakeholders should prepare for CBRNE both in terms of threat detection (mainly through adapted sensors) and effective response. The latter element is closely linked to good levels of staff training and public awareness.

During the discussion it was concluded that UIC would conduct a survey through the Network of Quick Responders to check which members are willing to continue to work on this topic and in which way.

For further information about the CBRNE topic, please contact Grigore Havarneanu: havarneanu@uic.org

Workshop on Cybersecurity – 19 June 2018:

The second day of this fourth security week was dedicated to Cybersecurity. During his welcome speech, Jerzy Wisniewski, UIC Director of the Fundamental Value Departments, highlighted the importance of tackling this issue that can impact rail operations, safety, data, and moreover the rail business in general .

Leon Brain from DG Move presented the ongoing EU Rail Security Developments. A new EU Rail Passenger Security Platform will be implemented by the end of 2018 to collect relevant information on rail security and provide good practice guidance for Member States. Regarding cybersecurity, a proposal for a new EU Regulation “the Cybersecurity Act” has been drafted. Moreover, DG MOVE is in the process of launching work to develop an interactive cyber-security toolkit to help raise capacity to identify and mitigate cyber-security risks in the transport sector. Leon Brain also mentioned a recent new initiative to develop a rail sector cyber ISAC (Information Sharing and Analysis Centre) that is led by European Rail Infrastructure Managers with strong support from ENISA and EU Rail Agency.

Then Laurent Maurice from Emis Conseil gave an overview on the new EU General Data Protection Regulation (GDPR) that is mandatory for all European companies since 25 May 2018 and on its application in the rail sector.

To finish this first session on the European framework, the achievements of the EU funded project CYRAIL in the framework of SHIFT2RAIL rail transport call, were presented by three of the partners of the project (UIC, AIRBUS cybersecurity and FORTISS). A security assessment and a threat analysis were performed on a rail operational scenario (“worth scenario” in term of security) prepared by UIC. Attack detection techniques as well as alert and incident management techniques and Mitigation strategies and countermeasures were proposed and assessed for the rail context by the member of the consortium. The final results of the project will be presented during the CYRAIL final conference that will be held in Paris on 18 September 2018.

Then the industry point of view was given by Emin Simsek from Bosch Security and Safety Systems who described their approach to secure the security systems such as cameras and to ensure the confidentiality, integrity and availability of the information.

The afternoon session was dedicated to the railway experience and organisation regarding cybersecurity. Gerd Neubeck from DBAG, Marc Beaulieu from VIA Rail Canada, and Andrea Valente from FS SpA shared the organisation that was deployed within their company for tackling this issue. Denis Luyten from UITP presented the results of the UITP working group on cybersecurity and the recommendations published last year for public transport operators on incident management, monitoring, home mobile working and tendering processes and contract.

This was followed by a discussion with all the participants. It was often highlighted that cybersecurity needs to be addressed at the top management to get their support. Dedicated cybersecurity units/teams are more and more implemented within the rail companies to manage and coordinate all the relevant actors (IT, Security, Operations, Rail Systems, Maintenance, Digital, Human Resource…). Mention was made of the need to include specifications for cyber security in contracts for public tender/suppliers as well as requirements to be added in external maintenance contract to keep the level of cybersecurity as initially planned.
Sharing detailed on past attacks or tentative attacks is a very sensitive topic and these exchanges need to be held in a restricted and adapted format. Another important prevention measure is to raise awareness about cybersecurity issues towards all the staff, it was proposed to address it during next year security awareness day.

Finally, Marc Antoni, Director of the UIC Rail System Department, presented the outcomes of the UIC ARGUS project. Recommendations were issued to better protect the signalling system against cyberthreats. Marc Antoni highlighted the importance of having a systems approach and to integrate safety and security especially when addressing cybersecurity.

For further information about the cybersecurity workshop, please contact Marie-Hélène Bonneau: bonneau@uic.org

2nd UIC Security Awareness Day – 20 June 2018:

On 20 June 2018, the second UIC Security Awareness Day was organised on various security topics to raise awareness among staff and public. This interactive day was a good opportunity to exchange best practice and to share several experiences from UIC members thanks to the good presentations and demonstrations of creating awareness among employees and customers. This year, the UIC Security Awareness Day brought together 10 speakers from Canada, Belgium, the Netherlands, Germany, Poland, France and Hungary.

VIA Rail Canada presented the awareness campaign on “every VIA Rail employee is part of the security team”. The goal of this campaign was to raise the awareness of employees on security measures already in place, to ensure safety and security, to help employees be attentive and to recognise, record and report the security events.
From Infrabel’s point of view, the awareness day was the opportunity to develop an approach to “make the security staff aware”. From them, the collective behaviour is the sum of individual behaviour of each employee. They focused their campaign on “locked door” and “badge management”.

NS and SNCF used skype live connection to show the audience the awareness day in their network and from the point of view of the people on the frontline.
In parallel to the UIC security awareness day, NS organised an awareness campaign in Amsterdam, Rotterdam, the Hague, Utrecht and Schiphol in stations and for onboard personnel and safety services. The campaign was about “what to do in case of a terrorist attack”. During the skype session we saw NS staff making passengers more aware; their goal was to create more personal contact with passengers in order to better draw their attention and raise their awareness.

SNCF held an action day for railway staff on how to raise security awareness among railway companies. For that they provided three awareness stands, one to introduce the new visual identity of security, another to introduce the new secure mission guides and the last one about IT security. This action day was interactive and stressed the importance of a direct and more individual contact with the staff.
DB AG presented the Corporate Security Awareness via Social Intranet. In April 2017, Deutsche Bahn AG launched the interactive communication platform “DB Planet” for their employees. In 2018 a diverse Data Protection Campaign has been launched. This campaign contains a security toolbox of data protection, which includes among others web-based training sessions, tutorials and short awareness movies regarding different risks like social engineering.

PKP S.A. presented the “Unattended left luggage and increasing of the awareness of railway users”. They focused on the consequences of unattended luggage in station and on board a train and highlighted the importance of raising awareness among passengers and employees to avoid unattended luggage.

Regarding SNCB, a large awareness campaign against pickpocketing ‘Beware of pickpockets” was launched in Belgium from 20 June to 15 August 2018; they displayed a series of leaflets and a short film against pickpocketing to raise awareness among customers and give them short and clear recommendations. SNCB also used two professional actors who played the role of pickpocket in a train in order to raise the awareness of passengers about their luggage.

MAV presented the topic of “accidents at level crossings” during this day and presented to the audience how they raised public awareness on the dangers of misbehaviour at level crossings for pedestrians and cyclists. They also raised awareness among children through the campaign “children as railway personnel”.
ProRail offered us the interactive session “Information security awareness campaign – Are you Secure?” From their point of view awareness about security is of increasing importance. Human behaviour is critical in information security. For that they developed a mind game with 10 questions, 30 seconds per question. The topics used in the mind game were: weak password, conversation in public places, cloud application, privacy, email phishing and viruses and physical access.

Finally, UITP presented the “counter terrorism awareness training” dedicated to operational and on field staff. This one-hour training course developed by UK police was adapted to UITP. This training covered several topics: threat level, extremism, terrorist profile and vulnerabilities, operation Fairway, hostile reconnaissance and sector advice.

This awareness day included a session on security of women in railway transport, a theme which was already addressed during the International Transport Forum in Leipzig (23 – 25 May 2018). ÖBB, SNCF and UITP gave interesting examples of different measures regarding this topic. It was concluded to foster the exchange on this topic with the members. Therefore, ways to develop this topic further on the feeling of security in public transport and take a deeper look at different customer groups, which also include security and non-security staff, will be studied.
During this very fruitful and rich UIC Security Awareness Day, we decided that a third awareness day on the main topic of cybersecurity will be organised next year. Of course, the day will be open to other security topics too.

The morning of the fourth day was dedicated to Business Continuity Management (BCM). At the request of the Members of the UIC security platform, a series of dedicate topics regarding Crisis Management & Resilience are planned for 2018 in preparation of the UIC security Congress which will be held in Bled (Slovenia) on 16 -18 October 2018 and will address crisis management as the main theme. After the fruitful meeting concerning crisis communication and social media in February 2018 (see eNews 585), this workshop concentrated on BCM and a third one concerning blackout situations will be organised during the Bled Congress.

Regarding BCM, a generic BCM Strategy doesn’t exist. Therefore, it is even more relevant to share approaches and experiences across different components of BCM. After the welcome from Prof Gerd Neubeck (DB AG), Prof Dr Stefan Pickl (UniBw München) delivered an opening speech, which gave the participants an overview about the different BCM-elements and the relevance. Afterwards, Kathrin Faber presented the results of a member survey regarding the current status of BCM within the member companies.

The second part of the workshop concentrated on sharing information and best practices. Therefore, Pia-Dorothee Haars (DB AG), Jean-Pierre van Eekelen (ProRail) and Maarten Plasschaert (INFRABEL) provided an insight in their BCM-policy, organisation, programme and experience and explained how they converted the requirements of the ISO 22301 “Societal security – Business continuity management systems” into practice. All speakers pointed out, that they had chosen a practical approach for their BCMS.

The workshop was concluded with the following statements:

A unique and holistic BCM-Strategy doesn’t exist, which makes it more relevant to share approaches and experiences

BCM is always based on worst case (event that occurs / can occur at the most unfavourable time)

BCM is a long-term and iterative process, which is subject to continuous adjustment

A BC-plan is only as good as it is tested

Since it was the first meeting regarding BCM organised within UIC, and based on the fruitful presentations and discussion, it was suggested to create a joined working group (WG) together with the UIC Safety Department. The goal of this WG is to build up a BCM-Railway-Community, exchange about different BCM-Components and to share best practices and lessons learnt.

For further information about BCM, please contact Kathrin Faber: faber@uic.org

Presentation about the Security HUB – 21 June 2018:

During a special session held on Thursday, a mock-up of the upcoming UIC Security Hub web platform was shown to the audience and fruitfully discussed among the development team and the participants.

The main goal of the Security Hub project is to make available information about security measures to railway security professionals worldwide in a secure, comprehensive and handy way. Therefore, a large catalogue of security solutions -covering each railway sub-domain- will be drafted and permanently updated by the UIC Security Division, while a flexible search function and a handy browsing interface will allow the end-users (UIC Members, institutional partners, academia) to effectively explore the contents and find useful information about existing security solutions.

In accordance with the UIC legacy and its core values of cooperation and sharing, special emphasis has been put on the interactive functions of the Hub: thus, every user will be able to rate the contents of the web platform, to interact with others through comments and to share with colleagues worldwide their feedback and work experience regarding the security solutions featured in the Hub.

Furthermore, other important projects brought by UIC security division will be integrated in the Hub: railway security professionals will thus be able to explore the contents of the Training Awareness and Communication Toolbox in a new convenient layout, and to take advantage of the Network of Quick Responders posing questions to their colleagues worldwide about arising concerns and quickly getting back the advice of the users’ community.

The participants in the session showed their interest and appreciation for the initiative and engaged in a fruitful conversation about the functions and the contents of the web platform. The discussion also provided valuable inputs to the development team, helping to ensure that the Security Hub will meet end-user expectations and effectively address their professional needs when it will be launched during the 14th UIC Security World Congress in Bled (Slovenia) in October 2018.

For more information about the UIC Security Hub Project, please contact Bruno de Rosa: derosa@uic.org